E-mail autofill blunder leaks personal details of G20 world leaders

Presidents, prime ministers not informed of data breach when it was discovered.

A mistake with Microsoft Outlook's autofill feature sent personal details of the world's top leaders attending the G20 summit in Brisbane, Australia, to organizers of the Asian Cup soccer tournament. Those affected include the presidents of the US, China, Russia, Brazil, the European Commission, France, and Mexico; the prime ministers of Japan, India, the UK, Italy, and Canada; and the German Chancellor. Among the information disclosed was the passport numbers, visa details, and other personal identifiers.

The blunder occurred on November 7 last year, just before the G20 summit took place. Details are contained in an e-mail sent to the Australian privacy commissioner by the director of the visa services division of Australia's Department of Immigration and Border Protection, obtained by The Guardian using a freedom of information request. The e-mail explains: "The cause of the breach was human error. [Name redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person."

Rather surprisingly, in view of the individuals involved, they were not informed of this breach when it was discovered. The director of the visa services division explained why in the e-mail obtained by The Guardian: "Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the e-mail, I do not consider it necessary to notify the clients of the breach."

Those "actions" consisted of the unintended recipient deleting the e-mail in question, assurances from the Asian Cup Local Organising Committee that there was "no record" of the e-mail being forwarded anywhere, and further confirmation that the email was not copied to a backup. Whether those were indeed sufficient to "limit further distribution of the e-mail" is unclear. Most of the leaked information was publicly available, while passport details are unlikely to be much use to criminals given the prominence of the people affected.

This isn't the first major data protection lapse by the Australian authorities. In February last year, the personal details of nearly 10,000 adults and children seeking asylum in Australia were revealed by the Department of Immigration and Border Protection on its website. That inability to secure confidential information is troubling in the light of Australia's new data retention laws, which will require large-scale stores of online users' personal metadata to be created. The Guardian quotes Green Party Senator Sarah Hanson-Young as saying: "Only last week the government was calling on the Australian people to trust them with their online data, and now we find out they have disclosed the details of our world leaders."